Computation of WCET using Program Slicing and Real-Time Model-Checking

Computing accurate WCET on modern complex architectures is a challenging task. This problem has been devoted a lot of attention in the last decade but there are still some open issues. First, the control flow graph (CFG) of a binary program is needed to compute the WCET and this CFG is built using some internal knowledge of the compiler that generated the binary code; moreover once constructed the CFG has to be manually annotated with loop bounds. Second, the algorithms to compute the WCET (combining Abstract Interpretation and Integer Linear Programming) are tailored for specific architectures: changing the architecture (e.g. replacing an ARM7 by an ARM9) requires the design of a new ad hoc algorithm. Third, the tightness of the computed results (obtained using the available tools) are not compared to actual execution times measured on the real hardware. In this paper we address the above mentioned problems. We first describe a fully automatic method to compute a CFG based solely on the binary program to analyse. Second, we describe the model of the hardware as a product of timed automata, and this model is independent from the program description. The model of a program running on a hardware is obtained by synchronizing (the automaton of) the program with the (timed automata) model of the hardware. Computing the WCET is reduced to a reachability problem on the synchronised model and solved using the model-checker UPPAAL. Finally, we present a rigorous methodology that enables us to compare our computed results to actual execution times measured on a real platform, the ARM920T.

💡 Research Summary

The paper tackles three long‑standing obstacles in worst‑case execution‑time (WCET) analysis for modern embedded processors. First, it eliminates the need for compiler‑specific knowledge and manual loop‑bound annotations by automatically constructing a control‑flow graph (CFG) directly from the binary. The authors model a program as a finite set of labelled instructions (memory address, instruction pair) and define a semantics function ⟨ι⟩ that maps program states to successor states. Under mild assumptions—termination independent of input data, stack accessed only via the dedicated register, memory references deterministic, and no recursion—the CFG extraction proceeds without any user input, yielding an abstract program that is WCET‑equivalent to the original code.

Second, the paper decouples the WCET analysis from a particular hardware description. The ARM920T processor is modeled as a network of timed automata (TA): separate automata capture the five‑stage pipeline (Fetch, Decode, Execute, Memory, Write‑back), the 16 KB 8‑way instruction and data caches, the write‑buffer, and the memory bus. Each TA explicitly encodes timing constraints such as pipeline stalls, load delays, branch delays, cache hit/miss latencies, and replacement policies (FIFO or pseudo‑random). Because the hardware model is expressed in TA, swapping to a different architecture merely requires replacing the relevant automata, preserving the rest of the analysis pipeline.

Third, the authors present a rigorous methodology for validating the computed WCET against real execution times. Using an ARM920T‑based development board (Armadeus APF9328), they perform cycle‑accurate measurements, carefully controlling input data, accounting for measurement overhead, and repeating runs to obtain statistically sound bounds. The measured times are then directly compared with the WCET obtained from the model‑checking approach.

The core analysis workflow is: (1) automatically generate the CFG and reduce it to a WCET‑preserving abstract program; (2) compose this program automaton with the hardware TA network; (3) synchronize the two to form a single timed‑automata model; (4) formulate WCET as a reachability problem—finding the longest‑time path from the initial state to the termination state; (5) solve this problem using the UPPAAL model checker, which efficiently explores the timed state space. The approach inherits the modularity of model checking: changes in the hardware model or program are localized, avoiding the monolithic redesign required by ILP‑based tools. Moreover, the automatic loop unrolling performed during CFG reduction respects cache semantics, a limitation in earlier METAMOC work.

Experimental results show that the UPPAAL‑derived WCETs are tightly bounded and often significantly lower than those produced by commercial tools such as aiT, which tend to be overly conservative. The authors also discuss scalability: while model checking can become state‑space intensive for large programs, the presented abstraction techniques mitigate explosion for many realistic code fragments. They suggest future work on advanced abstraction, compositional analysis, and extending the framework to multicore systems.

In summary, the paper delivers a fully automated, hardware‑agnostic WCET analysis framework that couples binary‑level CFG extraction with timed‑automata modeling and model‑checking, and validates its accuracy against real hardware measurements. This contribution advances the state of the art by reducing manual effort, improving portability across architectures, and providing empirically verified timing guarantees for safety‑critical embedded software.